Commit Graph

6010 Commits (fdca396bc87817563c52f517e20bae2132675b18)

Author SHA1 Message Date
sinn3r b5fc0493a5
Land #2642 - Fix titles 2013-11-18 12:14:36 -06:00
jvazquez-r7 9e46975a95
Land #2643, @ChrisJohnRiley SkipVersionCheck for exim4_dovecot_bannercheck 2013-11-18 11:28:07 -06:00
jvazquez-r7 540b85df3f Set SkipVersionCheck as not required 2013-11-18 11:27:32 -06:00
jvazquez-r7 bddb314073 Fix usage of Retries 2013-11-18 09:09:20 -06:00
jvazquez-r7 237bb22771 Disable auto migrate 2013-11-18 08:54:22 -06:00
Thomas Hibbert 960f7c9bbb Add DesktopCentral arbitrary file upload exploit. 2013-11-18 16:11:28 +13:00
Thomas Hibbert 60a245b0c3 Fix the arch declaration in uploaded module. 2013-11-18 14:49:03 +13:00
Thomas Hibbert 636fdfe2d2 Added Kaseya uploadImage exploit. 2013-11-18 14:23:34 +13:00
Tod Beardsley 89d0b3c41c
Return the splat and require on a module. 2013-11-15 12:19:53 -06:00
Tod Beardsley 36db6a4d59
Land #2616, SuperMicro close_window BOF 2013-11-15 11:34:53 -06:00
jvazquez-r7 cbb7eb192c Add module for CVE-2013-3918 2013-11-15 10:38:52 -06:00
Chris John Riley 5bd5eacd77 Added option to ignore banner checks 2013-11-15 15:01:11 +01:00
William Vu 2c485c509e Fix caps on module titles (first pass) 2013-11-15 00:03:42 -06:00
jvazquez-r7 4cf16cf360
Land #2633, @OJ's port of Kitrap0d as local exploit 2013-11-14 09:27:10 -06:00
jvazquez-r7 fe2cd93a65 Delete ms13_037_svg_dashstyle from the browser_autopwn list 2013-11-13 23:46:50 -06:00
OJ 506a4d9e67
Remove genericity, x64 and renamed stuff
As per discussion on the github issue, the following changes were made:

* Project renamed from elevate to kitrap0d, implying that this is not
  intended to be a generic local priv esc exploit container.
* Container DLL no longer generic, always calls the kitrap0d exploit.
* Removal of all x64 code and project configurations.
* Invocation of the exploit changed so that the address of the payload
  is passed in to the exploit entry point. The exploit is now responsible
  for executing the payload if the exploit is successful. This removes
  the possibility of the payload getting executed when the exploit fails.
* Source moved to the appropriate CVE folder.
* Binary moved to the appropriate CVE folder.
* Little bit of source rejigging to tidy things up.
2013-11-14 12:22:53 +10:00
jvazquez-r7 8771b163f0 Solve conflicts with aladdin_choosefilepath_bof 2013-11-12 23:11:42 -06:00
OJ e4fc361b37 Various tidies and fixes
* Change ranking.
* Update references to comply with correct approach.
* Update messages to better describe what should happen.
* Update the Windows version regex to match XP.
* Update `check` function to use `unless`.

Thanks again @jvazquez-r7 for the feedback!
2013-11-13 10:38:48 +10:00
jvazquez-r7 ef6d9db48f
Land #2613, @wchen-r7's BrowserExploitServer mixin 2013-11-12 17:33:12 -06:00
jvazquez-r7 004c1bac78 Reduce number of modules available on BrowserAutopwn 2013-11-12 12:37:29 -06:00
OJ 40f58ce534
Finalise the local exploit for kitrap0d
The exploit now properly injects the DLL using RDI and invokes the
exploit based on a parameter passed by the Ruby module. The elevate
code is 'generic' with a goal of possibly supporting more exploits
down the track.

New sessions are now created with the SYSTEM creds, rather than
modifying the existing session. This is now inline with how things
are done with other local modules.
2013-11-12 23:01:24 +10:00
Tod Beardsley 65993704c3
Actually commit the mode change. 2013-11-11 22:16:29 -06:00
Tod Beardsley 2035983d3c
Fix a handful of msftidy warnings, and XXX SSL
Marked the SSL stuff as something that needs to be resolved in order to
fix a future bug in datastore manipulation. Also, fixed some whitespace
and exec complaints

[SeeRM #8498]
2013-11-11 21:23:35 -06:00
jvazquez-r7 b01d8c50e0 Restore module crash documentation 2013-11-11 17:09:41 -06:00
jvazquez-r7 30de61168d Support heap spray obfuscation 2013-11-11 17:05:54 -06:00
jvazquez-r7 922f0eb900 Switch aladdin_choosefilepath_bof2 to use BrowserExploitServer 2013-11-11 17:01:09 -06:00
sinn3r b887ed68b5
Land #2608 - Allow guest login option for psexec. 2013-11-11 10:09:41 -06:00
OJ 82739c0315 Add extra URL for exploit detail 2013-11-11 22:07:36 +10:00
OJ 6a25ba18be Move kitrap0d exploit from getsystem to local exploit
This version modifies the existing meterpreter session and bumps the privs
up to SYSTEM. However it's not how local exploits are supposed to work.
More work will be done to make this create a new session with the elevated
privs instead.
2013-11-11 17:14:40 +10:00
jvazquez-r7 40f8e80775 Fix jlee-r7's feedback 2013-11-08 14:28:19 -06:00
jvazquez-r7 d419c73488
Land #2517, @3v0lver's exploit for cve-2008-2286 2013-11-08 08:41:04 -06:00
jvazquez-r7 fddb69edb3 Use instance variables for 1-time injections 2013-11-08 08:30:35 -06:00
jvazquez-r7 69b261a9f2 Clean post exploitation code 2013-11-07 18:11:54 -06:00
jvazquez-r7 9f51268d21 Make xp_shell_enable instance variable 2013-11-07 17:53:28 -06:00
jvazquez-r7 aa1000df72 Clean check method 2013-11-07 17:44:22 -06:00
jvazquez-r7 c2662d28e0 Move module to the misc folder 2013-11-07 17:34:22 -06:00
jvazquez-r7 b068e4beb5 Fix indentation and refactor send_update_computer 2013-11-07 17:33:35 -06:00
jvazquez-r7 b7e360922d Update ranking 2013-11-07 15:10:26 -06:00
jvazquez-r7 decf6ff6a0 Add module for CVE-2013-3623 2013-11-07 14:59:40 -06:00
jvazquez-r7 bdba80c05c
Land #2569, @averagesecurityguy and others exploit for CVE-2013-4468, CVE-2013-4467 2013-11-07 12:20:42 -06:00
scriptjunkie 7615264b17 Merge branch 'lanattacks_fix' of git://github.com/OJ/metasploit-framework into OJ-lanattacks_fix 2013-11-07 10:35:00 -06:00
root 944528e633 Updated for temporal pathing with TEMP variable 2013-11-07 01:34:55 -05:00
jvazquez-r7 2d4090d9c3 Make option astGUIclient credentials 2013-11-06 20:33:47 -06:00
jvazquez-r7 24d22c96a5 Improve exploitation 2013-11-06 20:15:40 -06:00
jvazquez-r7 2b2ec1a576 Change module location 2013-11-06 15:53:45 -06:00
jvazquez-r7 b9cb8e7930 Add new options 2013-11-06 15:53:12 -06:00
scriptjunkie 61e4700832
Allow guest login option.
This enables obtaining or maintaining access to properly misconfigured
systems through the Guest account.
2013-11-06 11:28:13 -06:00
OJ 7dcb071f11 Remote shebang and fix pxexeploit 2013-11-06 07:10:25 +10:00
James Lee 9e30c58495 Blow away remnants of Local::Unix 2013-11-05 13:51:45 -06:00
James Lee 36f96d343e Revert "Revert "Land #2505" to resolve new rspec fails"
This reverts commit e7d3206dc9.
2013-11-05 13:45:00 -06:00
Tod Beardsley 84572c58a8
Minor fixup for release
* Adds some new refs.
  * Fixes a typo in a module desc.
  * Fixes a weird slash continuation for string building (See #2589)
2013-11-04 12:10:38 -06:00
root 5c923757e8 Removed generic command execution capability 2013-10-30 21:35:24 -04:00
William Vu f5d1d8eace chmod -x .rb files without #! in modules and lib
It wasn't just cmdstager_printf.rb. :/
2013-10-30 19:51:25 -05:00
jvazquez-r7 c92e8ff98d Delete extra space 2013-10-30 19:34:54 -05:00
Tod Beardsley e488a54a06
Resplat new WMI module 2013-10-30 15:14:16 -05:00
Tod Beardsley 98224ee89f
CVE update for vtiger issue 2013-10-30 13:48:35 -05:00
Tod Beardsley 344413b74d
Reorder refs for some reason. 2013-10-30 12:25:55 -05:00
Tod Beardsley 32794f9d37
Move OpenBravo to aux module land 2013-10-30 12:20:04 -05:00
Tod Beardsley 17d796296c
Un-dupe References for ispconfig 2013-10-30 12:03:35 -05:00
Tod Beardsley 0d480f3a7d
Typo fix 2013-10-30 11:38:04 -05:00
Tod Beardsley 97a4ca0752
Update references for FOSS modules 2013-10-30 11:36:16 -05:00
Tod Beardsley 78381316a2
Add @brandonprry's seven new modules
Already reviewed privately, no associated PR.
2013-10-30 11:04:21 -05:00
Tod Beardsley 5b76947767
Add a few more modules. 2013-10-30 10:25:48 -05:00
jvazquez-r7 c8ceaa25c6
Land #2589, @wvu-r7's exploit for OSVDB 98714 2013-10-29 14:56:30 -05:00
jvazquez-r7 9f81aeb4ad Fix style 2013-10-29 14:55:16 -05:00
William Vu 5af42f2c28 Add short comment on why the padding is necessary 2013-10-29 11:46:10 -05:00
William Vu e368cb0a5e Add Win7 SP1 to WinXP SP3 target 2013-10-29 10:45:14 -05:00
jvazquez-r7 c4c171d63f Clean processmaker_exec 2013-10-29 09:53:39 -05:00
bcoles 3eed800b85 Add ProcessMaker Open Source Authenticated PHP Code Execution 2013-10-29 23:27:29 +10:30
William Vu ea7bba4035 Add Beetel Connection Manager NetConfig.ini BOF 2013-10-28 22:52:02 -05:00
Tod Beardsley 9045eb06b0
Various title and description updates 2013-10-28 14:00:19 -05:00
William Vu 278dff93e7 Add missing require for Msf::Exploit::Powershell
Thanks for the report, @mubix.
2013-10-25 21:41:24 -05:00
jvazquez-r7 b69ee1fc67 [FixRM #8419] Add module platform to ms04_011_pct 2013-10-25 09:29:19 -05:00
jvazquez-r7 dd094eee04 Use 443 by default with SSL 2013-10-24 16:30:26 -05:00
jvazquez-r7 72f686d99a Add module for CVE-2013-2751 2013-10-24 16:10:32 -05:00
jvazquez-r7 2ef33aabe7 Clean open_flash_chart_upload_exec 2013-10-24 10:15:28 -05:00
AverageSecurityGuy 110daa6e96 Check for nil response from request in check method. 2013-10-24 09:12:37 -04:00
bcoles 8a5d4d45b4 Add Open Flash Chart v2 Arbitrary File Upload exploit 2013-10-24 22:46:41 +10:30
AverageSecurityGuy ecbbd7bb4b Ran resplat.rb and retab.rb. Fixed msftidy issues. 2013-10-23 20:59:27 -04:00
AverageSecurityGuy 655e09f007 Fixed description to look better in info output. 2013-10-23 16:36:39 -04:00
AverageSecurityGuy 9f84ced00e Fixed boilerplate text. 2013-10-23 16:13:25 -04:00
AverageSecurityGuy 58a32ebb45 Initial commit. 2013-10-23 14:47:42 -04:00
William Vu bea04cceeb Remove the trailing slash from the ZDI ref 2013-10-23 11:05:33 -05:00
Booboule 7d84fa487e Correct ZDI ref to match new scheme 2013-10-23 11:44:44 +02:00
sinn3r acc73dd545
Land #2282 - BypassUAC now checks if the process is LowIntegrityLevel 2013-10-22 17:16:26 -05:00
sinn3r af174639cd
Land #2468 - Hwnd Broadcast Performance 2013-10-22 17:03:02 -05:00
sinn3r 2e8c369c69
Land #2559 - remove content-length 2013-10-22 16:03:42 -05:00
Tod Beardsley dc0d9ae21d
Land #2560, ZDI references
[FixRM #8513]
2013-10-22 15:58:21 -05:00
Meatballs 8611a2a24c
Merge remote-tracking branch 'upstream/master' into low_integ_bypassuac 2013-10-22 21:42:36 +01:00
sinn3r ba1edc6fa8
Land #2402 - Windows Management Instrumentation Local -> Peers 2013-10-22 15:39:32 -05:00
root 85479f5994 removed PrependMigrate, introduced migrate -f 2013-10-22 16:11:19 -04:00
jvazquez-r7 11b2719ccc Change module plate 2013-10-22 12:36:58 -05:00
jvazquez-r7 df42dfe863
Land #2536, @ddouhine's exploit for ZDI-11-061 2013-10-22 12:35:40 -05:00
jvazquez-r7 c34155b8be Clean replication_manager_exec 2013-10-22 12:34:35 -05:00
jvazquez-r7 71fab72e06 Delete duplicate content-length from axis2_deployer 2013-10-21 15:35:51 -05:00
William Vu 2aed8a3aea Update modules to use new ZDI reference 2013-10-21 15:13:46 -05:00
jvazquez-r7 10a4ff41de Delete Content-Length duplicate header 2013-10-21 15:11:37 -05:00
sinn3r 1599d1171d
Land #2558 - Release fixes 2013-10-21 13:48:11 -05:00
Tod Beardsley c1954c458c
Just warn, don't bail
Even if the OS detection returns non-Win7, maybe it's Win 8 or something
where it'll still work. We rarely bail out on checks like these.

If I'm crazy, feel free to skip or revert this commit (it shouldn't hold
up the release at all)

For details on this module, see #2503. I don't see any comments about
this line in particular
2013-10-21 13:39:45 -05:00
Tod Beardsley bce8d9a90f
Update license comments with resplat. 2013-10-21 13:36:15 -05:00
Tod Beardsley c070108da6
Release-related updates
* Lua is not an acronym
  * Adds an OSVDB ref
  * credit @jvazquez-r7, not HD, for the Windows CMD thing
2013-10-21 13:33:00 -05:00
sinn3r 4c14595525
Land #2535 - Use %PATH% for notepad 2013-10-21 13:14:44 -05:00
sinn3r 032da9be10
Land #2426 - make use of Msf::Config.data_directory 2013-10-21 13:07:33 -05:00
Tod Beardsley e7d3206dc9
Revert "Land #2505" to resolve new rspec fails
This reverts commit 717dfefead, reversing
changes made to 6430fa3354.
2013-10-21 12:47:57 -05:00
sinn3r cacaf40276
Land #2542 - D-Link DIR-605L Captcha Handling Buffer Overflow 2013-10-21 12:03:07 -05:00
sinn3r 9bfd98b001 Change plate 2013-10-21 11:54:42 -05:00
William Vu 717dfefead
Land #2505, missing source fix for sock_sendpage 2013-10-21 11:47:55 -05:00
sinn3r 6430fa3354
Land #2539 - Support Windows CMD generic payload
This also upgrades auxiliary/admin/scada/igss_exec_17 to an exploit
2013-10-21 11:26:13 -05:00
sinn3r 45d06dd28d Change plate 2013-10-21 11:24:30 -05:00
sinn3r 8c05f8cf51
Land #2550 - Add HP Intelligent Managemetn UploadServlet dir traversal 2013-10-21 11:14:22 -05:00
sinn3r d22e4ac2f1 Check timeout condition 2013-10-21 11:13:48 -05:00
sinn3r 36dace26fa
Land #2538 - Fix redirect URLs 2013-10-21 11:08:03 -05:00
jvazquez-r7 27078eb5a6 Add support for HP imc /BIMS 5.1 2013-10-20 18:18:34 -05:00
jvazquez-r7 b0d32a308a Update version information 2013-10-19 00:52:22 -05:00
jvazquez-r7 7d8a0fc06c Add BID reference 2013-10-19 00:29:43 -05:00
jvazquez-r7 cf239c2234 Add module for ZDI-13-238 2013-10-19 00:05:09 -05:00
jvazquez-r7 70fced1d74 Delete unnecessary requires and make msftidy compliant 2013-10-18 16:54:20 -05:00
jvazquez-r7 dbd74bceed Add the ARCH_CMD target 2013-10-18 16:35:22 -05:00
jvazquez-r7 2339cdc713
Land #2513, @joev-r7's osx persistence local exploit 2013-10-18 15:13:50 -05:00
joev 83f27296d3 Fix some bugs in osx persistence.
- the RUN_NOW datastore option did not work as expected
- Adds support for OSX < 10.4 KeepAlive option
- organizes private methods alphabetically.
2013-10-18 14:12:33 -05:00
Meatballs 4e4d0488ae
Rubyfy constants in privs lib 2013-10-18 18:26:07 +01:00
joev 681db6cb41 Use fully qualified constant in include. 2013-10-18 11:31:02 -05:00
joev 05bea41458 mkdir -p the dirname, not the file. 2013-10-18 11:27:37 -05:00
root 2e0a14d719 Introduced PrependMigrate, PPID killing and general clean-up 2013-10-18 12:24:50 -04:00
Norbert Szetei 9d6031acdb Reverting payload_inject because of x64 shellcode
Injecting x64 shellcode in a SYSWOW64 process spawn a 32 bit notepad, so
we revert the changes.
2013-10-18 09:51:18 +02:00
joev 7a47059e1d Fix a couple more shellescapes. 2013-10-18 00:47:22 -05:00
joev a2e3c6244e Remove unnecessary Exe::Custom logic.
- this is handled by the exe.rb mixin.
- adds support for a RUN_NOW datastore option.
- tested working on java meterpreter and x86 shell session.
2013-10-18 00:41:18 -05:00
jvazquez-r7 7dd39ae5e6 Update ranking 2013-10-17 22:43:47 -05:00
jvazquez-r7 a00a813649 Add real device libraries base addresses 2013-10-17 22:34:54 -05:00
Meatballs 55426882d4
Further bypassuac tidyup 2013-10-18 00:08:06 +01:00
Meatballs e450e34c7e
Merge branch 'master' of github.com:rapid7/metasploit-framework into low_integ_bypassuac
Conflicts:
	modules/exploits/windows/local/bypassuac.rb
2013-10-17 23:35:36 +01:00
Meatballs 5a662defac
Post::Privs uses Post::Registry methods 2013-10-17 23:28:07 +01:00
James Lee 94db3f511a Avoid extra slash in redirect URI
[SeeRM #8507]
2013-10-17 14:10:15 -05:00
jvazquez-r7 be1d6ee0d3 Support Windows CMD generic payload 2013-10-17 14:07:27 -05:00
Tod Beardsley 22b4bf2e94
Resplat webtester_exec.rb 2013-10-17 13:30:54 -05:00
Tod Beardsley 07ab53ab39
Merge from master to clear conflict
Conflicts:
	modules/exploits/windows/brightstor/tape_engine_8A.rb
	modules/exploits/windows/fileformat/a-pdf_wav_to_mp3.rb
2013-10-17 13:29:24 -05:00
jvazquez-r7 7f6dadac16 Merge for sync 2013-10-17 10:40:01 -05:00
Davy Douhine b03783baec minors fixes and rand for endstring 2013-10-17 17:10:05 +02:00
Davy Douhine 22eb2ba163 randstring and fixes 2013-10-17 16:51:34 +02:00
jvazquez-r7 352eca1147 Fix check method and set a big space available for payload 2013-10-17 09:30:59 -05:00
Norbert Szetei 563bf4e639 Fix bug #8502, used %PATH% for notepad invocation
We use system %PATH% for notepad executable instead of the absolute
path, because it caused a problem with the migrate script in a 64-bit
meterpreter session. By default the wordpad binary is not in the
%PATH%, so the condition in hp_nnm_ovbuildpath_textfile.rb was not
changed.
2013-10-17 15:41:12 +02:00
bcoles 54cf7855a2 Add WebTester 5.x Command Execution exploit module 2013-10-17 16:57:57 +10:30
jvazquez-r7 3d3a7b3818 Add support for OSVDB 86824 2013-10-17 01:08:01 -05:00
sinn3r 7a0671eba9
Land #2531 - rm deprecated mods 2013-10-16 20:02:58 -05:00
James Lee a54b4c7370
Land #2482, use runas when UAC is DoNotPrompt 2013-10-16 17:51:11 -05:00
Tod Beardsley f1a67ecafe
Remove overdue deprecated modules
[See PT #56795804]
[See PT #56796034]
2013-10-16 17:02:28 -05:00
sinn3r 0ce221274b Change JS comments in Ruby. 2013-10-16 16:40:54 -05:00
Tod Beardsley ba2c52c5de
Fixed up some more weird splat formatting. 2013-10-16 16:25:48 -05:00
James Lee 4fa3b8f820 Add support for IE7 on XP 2013-10-16 15:56:34 -05:00
sinn3r 06a212207e Put PrependMigrate on hold because of #1674
But I will probably still want this.
2013-10-16 09:24:46 -05:00
sinn3r ac78f1cc5b Use Base64 encoding for OS parameter
I didn't even realize we already added this in server.rb. So instead
of just escaping the OS parameter, we also encode the data in base64.
I also added prependmigrate to avoid unstable conditions for the payload.
2013-10-15 23:37:11 -05:00
Tod Beardsley 5d86ab4ab8
Catch mis-formatted bracket comments. 2013-10-15 14:52:12 -05:00
Tod Beardsley ed0b84b7f7
Another round of re-splatting. 2013-10-15 14:14:15 -05:00
Tod Beardsley c83262f4bd
Resplat another common boilerplate. 2013-10-15 14:07:48 -05:00
Tod Beardsley 23d058067a
Redo the boilerplate / splat
[SeeRM #8496]
2013-10-15 13:51:57 -05:00
jvazquez-r7 c68319d098 Fix author 2013-10-15 12:59:19 -05:00
jvazquez-r7 f60b29c7a6
Land #2503, @MrXors's local exploit using VSS 2013-10-15 12:35:26 -05:00
MrXors f345414832 Added correct spelling in info 2013-10-15 10:13:18 -07:00
jvazquez-r7 0b9cf24103 Convert vss_persistence to Local Exploit 2013-10-15 11:11:04 -05:00
William Vu 31dc7c0c08 Land #2522, @todb-r7's pre-release module fixes 2013-10-14 15:37:23 -05:00
Tod Beardsley 63e40f9fba
Release time fixes to modules
* Period at the end of a description.
  * Methods shouldn't be meth_name! unless the method is destructive.
  * "Setup" is a noun, "set up" is a verb.
  * Use the clunky post module naming convention.
2013-10-14 15:17:39 -05:00
sinn3r 15e8c3bcd6 [FixRM #8470] - can't convert nil into String
Target selection bug in ms13_069_caret.rb. Happens when the target
is Win 7 + IE8, which actually isn't a suitable target.

[FixRM #8470]
2013-10-14 14:10:08 -05:00
jvazquez-r7 75aaded842
Land #2471, @pyoor's exploit for CVE-2013-5743 2013-10-14 14:03:28 -05:00
jvazquez-r7 a6f17c3ba0 Clean zabbix_sqli 2013-10-14 14:01:58 -05:00
William Vu eab90e1a2e Land #2491, missing platform info update 2013-10-14 10:38:25 -05:00
root de156dc8da new exploit module for CVE-2008-2286, Altiris DS 2013-10-13 22:39:49 -04:00
sinn3r 74f37c58b2
Land #2514 - Update CVE reference for Joomla 2013-10-13 12:58:23 -05:00
joev e2a9339592 Add CVE to joomla media upload module. 2013-10-12 21:20:11 -05:00
joev ea9235c506 Better whitespace. 2013-10-12 20:53:16 -05:00
joev 78b29b5f20 Bring osx persistence module to the finish line. 2013-10-12 20:50:53 -05:00
jvazquez-r7 3dbdc9f848
Land #2510, @wchen-r7's exploit for cve-2013-3897 2013-10-12 20:06:41 -05:00
sinn3r 9725918be8 Remove junk variables/params 2013-10-12 18:51:57 -05:00
sinn3r 2153dd26eb
Land #2501 - HP Data Protector Cell Request Service Buffer Overflow 2013-10-12 16:55:48 -05:00
joev 5a1b099570 Make osx persistence a local exploit. 2013-10-12 16:47:35 -05:00
sinn3r bc317760dc Make the GET params a little bit harder to read. 2013-10-12 16:37:49 -05:00
jvazquez-r7 172c6b9b8f Escape dots on regexs 2013-10-12 16:15:10 -05:00
joev 4fe407d7ee Move osx persistence to a local exploit. 2013-10-12 16:08:22 -05:00
sinn3r b139757021 Correct a typo in description 2013-10-12 13:24:36 -05:00
sinn3r 79c612cd67 Add MS13-080 (CVE-2013-3897): Internet Explorer CDisplayPointer Use-After-Free
This module exploits a vulnerability found in Microsoft Internet Explorer.
It was originally found being exploited in the wild targeting Japanese and
Korean IE8 users on Windows XP, around the same time frame as CVE-2013-3893,
except this was kept out of the public eye by multiple research companies and
the vendor until the October patch release.

This issue is a use-after-free vulnerability in CDisplayPointer via the use of
a "onpropertychange" event handler. To setup the appropriate buggy conditions,
we first craft the DOM tree in a specific order, where a CBlockElement comes after
the CTextArea element. If we use a select() function for the CTextArea element,
two important things will happen: a CDisplayPointer object will be created for
CTextArea, and it will also trigger another event called "onselect". The "onselect"
event will allow us to setup for the actual event handler we want to abuse -
the "onpropertychange" event. Since the CBlockElement is a child of CTextArea,
if we do a node swap of CBlockElement in "onselect", this will trigger
"onpropertychange".  During "onpropertychange" event handling, a free of the
CDisplayPointer object can be forced by using an "Unslect" (other approaches
also apply), but a reference of this freed memory will still be kept by
CDoc::ScrollPointerIntoView, specifically after the CDoc::GetLineInfo call,
because it is still trying to use that to update CDisplayPointer's position.
When this invalid reference arrives in QIClassID, a crash finally occurs due to
accessing the freed memory. By controling this freed memory, it is possible to
achieve arbitrary code execution under the context of the user.
2013-10-12 13:01:17 -05:00
Joe Barrett d929bdfaab Re-fixing 8419, consistency is important. 2013-10-12 08:09:19 -04:00
James Lee dfe74ce36c Factorize sock_sendpage 2013-10-11 13:40:01 -05:00
jvazquez-r7 0b93996b05 Clean and add Automatic target 2013-10-11 13:19:10 -05:00
pyoor 171b70fa7c Zabbix v2.0.8 SQLi and RCE Module
Conflicts:
	modules/exploits/linux/http/zabbix_sqli.rb

Commit completed version of zabbix_sqli.rb
2013-10-10 22:50:02 -04:00
James Lee b9b2c82023 Add some entropy
* Random filename
* Stop shipping debug strings to the exploit executable

Also makes the writable path configurable, so we don't always have to
use /tmp in case it is mounted noexec, etc.
2013-10-10 18:18:01 -05:00
Meatballs 9ca9b4ab29
Merge branch 'master' into data_dir
Conflicts:
	lib/msf/core/auxiliary/jtr.rb
2013-10-10 19:55:26 +01:00
bcoles 276ea22db3 Add VMware Hyperic HQ Groovy Script-Console Java Execution 2013-10-11 05:07:23 +10:30
Meatballs a843722ae3 Concurrent printing of the output no longer makes sense... 2013-10-10 19:01:19 +01:00
Meatballs 536c3c7b92 Use multi railgun call for a large performance increase. 2013-10-10 19:01:14 +01:00
William Vu 9b96351ba2 Land #2494, OSVDB ref for flashchat_upload_exec 2013-10-10 12:58:55 -05:00
jvazquez-r7 f10078088c Add module for ZDI-13-130 2013-10-10 10:06:17 -05:00
James Lee 947925e3a3 Use a proper main signature with arguments
Allows us to `unlink(argv[0])`
2013-10-09 17:22:01 -05:00
James Lee c251596f0b Fix some bugs in preparation for factorizing
* Stop removing \x0a characters with String#scan, which of course breaks
  the shellcode
* Fork so the original session continues to work
2013-10-09 16:03:40 -05:00
jvazquez-r7 e3014a1e91 Fix ZDI Reference 2013-10-09 14:56:42 -05:00
jvazquez-r7 4fd599b7e0
Land #2483, @wchen-r7's patch for [SeeRM #8458] 2013-10-09 14:32:26 -05:00
jvazquez-r7 52574b09cb Add OSVDB reference 2013-10-09 14:13:45 -05:00
sinn3r 1e3b84d39b Update ie_cgenericelement_uaf 2013-10-09 13:40:48 -05:00
Winterspite 0acb170ee8 Bug #8419 - Added platform info missing on exploits 2013-10-08 22:41:50 -04:00
sinn3r 199bd20b95 Update CVE-2013-3893's Microsoft reference
Official patch is out:
http://technet.microsoft.com/en-us/security/bulletin/MS13-080
2013-10-08 13:00:03 -05:00
Tod Beardsley 8b9ac746db
Land #2481, deprecate linksys cmd exec module 2013-10-07 20:44:04 -05:00
sinn3r f7f6abc1dd Land #2479 - Add Joev to the wolfpack 2013-10-07 15:30:23 -05:00
sinn3r f4000d35ba Use RopDb for ms13_069
Target tested
2013-10-07 15:24:01 -05:00
sinn3r 7222e3ca49 Use RopDb for ms13_055_canchor.
All targets tested.
2013-10-07 15:09:36 -05:00
sinn3r 67228bace8 Use RopDb for ie_cgenericelement_uaf.
All targets tested except for Vista, so additional testing will need
to be done during review.
2013-10-07 14:51:34 -05:00
Rob Fuller aed2490536 add some output and fixing 2013-10-07 15:42:41 -04:00
Rob Fuller 75d2abc8c2 integrate some ask functionality into bypassuac 2013-10-07 15:14:54 -04:00
joev 4ba001d6dd Put my short name to prevent conflicts. 2013-10-07 14:10:47 -05:00
joev ec6516d87c Deprecate misnamed module.
* Renames to a linux linksys module.
2013-10-07 14:06:13 -05:00
sinn3r aea63130a4 Use RopDb for ie_cbutton_uaf.
All targets tested except for Vista. Will need additional testing
during review.
2013-10-07 14:03:07 -05:00
Tod Beardsley 219bef41a7
Decaps Siemens (consistent with other modules) 2013-10-07 13:12:32 -05:00
Tod Beardsley 4266b88a20
Move author name to just 'joev'
[See #2476]
2013-10-07 12:50:04 -05:00
sinn3r e016c9a62f Use RopDb msvcrt ROP chain. Tested all targets. 2013-10-07 12:27:43 -05:00
trustedsec 0799766faa Fix UAC is not enabled, no reason to run module when UAC is enabled and vulnerable
The new changes when calling uac_level = open_key.query_value('ConsentPromptBehaviorAdmin') breaks UAC on Windows 7 and Windows 8 and shows that UAC is not enabled when it is:

Here is prior to the change on a fully patched Windows 8 machine:

msf exploit(bypassuac) > exploit

[*] Started reverse handler on 172.16.21.156:4444 
[*] UAC is Enabled, checking level...
[-] UAC is not enabled, no reason to run module
[-] Run exploit/windows/local/ask to elevate
msf exploit(bypassuac) > 

Here's the module when running with the most recent changes that are being proposed:

[*] Started reverse handler on 172.16.21.156:4444 
[*] UAC is Enabled, checking level...
[!] Could not determine UAC level - attempting anyways...
[*] Checking admin status...
[+] Part of Administrators group! Continuing...
[*] Uploading the bypass UAC executable to the filesystem...
[*] Meterpreter stager executable 73802 bytes long being uploaded..
[*] Uploaded the agent to the filesystem....
[*] Sending stage (770048 bytes) to 172.16.21.128
[*] Meterpreter session 6 opened (172.16.21.156:4444 -> 172.16.21.128:49394) at 2013-10-05 15:49:23 -0400

meterpreter > 

With the new changes and not having a return on when 0 (will not always return 0 - just in certain cases where you cannot query) - it works.
2013-10-05 15:56:55 -04:00
jvazquez-r7 24efb55ba9 Clean flashchat_upload_exec 2013-10-05 14:50:51 -05:00
bcoles 08243b277a Add FlashChat Arbitrary File Upload exploit module 2013-10-05 22:30:38 +09:30
sinn3r a8de9d5c8b Land #2459 - Add HP LoadRunner magentproc.exe Overflow 2013-10-04 19:45:44 -05:00
jvazquez-r7 113f89e40f First set of fixes for gestioip_exec 2013-10-04 13:29:27 -05:00
jvazquez-r7 299dfe73f1
Land #2460, @xistence's exploit for clipbucket 2013-10-04 12:26:30 -05:00
jvazquez-r7 8e0a4e08a2 Fix author order 2013-10-04 12:25:38 -05:00
James Lee 68ee692c19 Standardize prints, clean up whitespace/warnings 2013-10-04 11:58:21 -05:00
Tod Beardsley 9b79bb99e0 Add references, correct disclosure date 2013-10-04 09:59:26 -05:00
Tod Beardsley ab786d1466 Imply authentication when a password is set 2013-10-04 09:54:04 -05:00
Brandon Perry 0112d6253c add gestio ip module 2013-10-04 06:39:30 -07:00
xistence 81d4a8b8c1 added clipbucket_upload_exec RCE 2013-10-04 11:43:38 +07:00
jvazquez-r7 646429b4dd Put ready to pull request 2013-10-03 22:15:17 -05:00
jvazquez-r7 5971fe87f5 Improve reliability 2013-10-03 17:19:53 -05:00
jvazquez-r7 39eb20e33a Add module for ZDI-13-169 2013-10-03 16:52:20 -05:00
sinn3r c87e7b3cc1 Land #2451 - Don't overwrite default timeout on get_once 2013-10-03 15:44:40 -05:00
Tod Beardsley 539a22a49e
Typo on Microsoft 2013-10-03 12:20:47 -05:00
Tod Beardsley fcba424308
Kill off EOL spaces on astium_sqli_upload. 2013-10-03 11:01:27 -05:00
jvazquez-r7 77d0236b4e Don't overwrite defaul timeout 2013-10-02 16:15:14 -05:00
Meatballs c460f943f7
Merge branch 'master' into data_dir
Conflicts:
	modules/exploits/windows/local/always_install_elevated.rb
	plugins/sounds.rb
	scripts/meterpreter/powerdump.rb
	scripts/shell/spawn_meterpreter.rb
2013-10-02 20:17:11 +01:00
sinn3r 23b0c3b723 Add Metasploit blog references
These modules have blogs from the Rapid7 community, we should add them.
2013-10-01 20:50:16 -05:00
sinn3r 932ed0a939 Land #2444 - Add SIEMENS Solid Edge ST4 SEListCtrlX ActiveX Vuln 2013-10-01 20:35:17 -05:00
jvazquez-r7 ed82be6fd8 Use RopDB 2013-10-01 13:23:09 -05:00
jvazquez-r7 6483c5526a Add module for OSVDB 93696 2013-10-01 11:42:36 -05:00
sinn3r 9abf727fa6 Land #2439 - Update description 2013-09-30 16:03:15 -05:00
sinn3r 7118f7dc4c Land #2422 - rm methods peer & rport
Because they're already defined in the HttpClient mixin
2013-09-30 16:01:59 -05:00
Brandon Turner 3cfee5a7c0
Land #2440, remaining tabassassin changes 2013-09-30 14:30:50 -05:00
jvazquez-r7 6c8f86883d
Land #2437, @wchen-r7's exploit for CVE-2013-3893 2013-09-30 14:02:29 -05:00
Tab Assassin 2e8d19edcf Retab all the things (except external/) 2013-09-30 13:47:53 -05:00
Tod Beardsley 4dc88cf60f Expand descriptions for ease of use. 2013-09-30 13:30:31 -05:00
sinn3r c82ed33a95 Forgot Math.cos() 2013-09-30 13:29:16 -05:00
sinn3r d6cd0e5c67 Tweak for office 2007 setup 2013-09-30 13:27:59 -05:00
sinn3r ecf4e923e8 Change the target address for spray 1 2013-09-30 11:57:59 -05:00
sinn3r b9aae1c93c Higher address seems better 2013-09-29 18:45:30 -05:00
sinn3r a5ade93ab2 Add CVE-2013-3893 Internet Explorer SetMouseCapture Use-After-Free
This module exploits a use-after-free vulnerability that currents
targets Internet Explorer 9 on Windows 7, but the flaw should exist in
versions 6/7/8/9/10/11. It was initially found in the wild in Japan, but
other regions such as English, Chinese, Korean, etc, were targeted as
well.

The vulnerability is due to how the mshtml!CDoc::SetMouseCapture function
handles a reference during an event. An attacker first can setup two
elements, where the second is the child of the first, and then setup a
onlosecapture event handler for the parent element. The onlosecapture
event seems to require two setCapture() calls to trigger, one for the parent
element, one for the child. When the setCapture() call for the child element
is called, it finally triggers the event, which allows the attacker to cause
an arbitrary memory release using document.write(), which in particular frees
up a 0x54-byte memory. The exact size of this memory may differ based on the
version of IE. After the free, an invalid reference will still be kept and pass
on to more functions, eventuall this arrives in function
MSHTML!CTreeNode::GetInterface, and causes a crash (or arbitrary code execution)
when this function attempts to use this reference to call what appears to be a
PrivateQueryInterface due to the offset (0x00).

To mimic the same exploit found in the wild, this module will try to use the
same DLL from Microsoft Office 2007 or 2010 to leverage the attack.
2013-09-29 18:24:13 -05:00
Meatballs b306415ecf
Tidy and updates to info 2013-09-29 17:32:39 +01:00
Meatballs 29a7059eb4
Update AlwaysInstallElevated to use a generated MSI file
Fixes bugs with MSI::UAC option, invalid logic and typo...
2013-09-29 17:09:03 +01:00
Meatballs 8b800cf5de Merge and resolve conflicts 2013-09-27 18:19:23 +01:00
jvazquez-r7 58600b6475
Land #2423, @TecR0c's exploit for OSVDB 96517 2013-09-27 09:48:52 -05:00